Creating incidents from IBM QRadar SIEM offenses via BMC Helix Integration Service
As an administrator, you can integrate BMC Helix ITSM with IBM QRadar SIEM to create incidents in BMC Helix ITSM from QRadar SIEM offenses. You can enable this integration by using BMC Helix Integration Service connectors and flows. BMC Helix Multi-Cloud Broker automatically creates an incident in BMC Helix ITSM whenever an offense is generated in QRadar SIEM. Changes in the status of tickets and comments are also synchronized between BMC Helix ITSM and QRadar SIEM. You can create two types of incidents for QRadar offenses based on the flow you configure:
- Security incident
- Infrastructure event
The following image displays the Smart IT incident that is created when an offense is triggered. You can view the details of the offense on the Smart IT interface, and also open the offense from the ticket details and the Activity tab.
Before you begin
Complete all preconfiguration tasks before you configure QRadar SIEM integration.
To select the integration option for QRadar SIEM
- Log in to BMC Helix Innovation Suite.
- On Workspace, click Multi-Cloud Broker.
To launch BMC Helix Multi-Cloud Broker, click Visit Deployed Application.
Tip
You can access BMC Helix Multi-Cloud Broker directly by entering the URL https://hostName:portNumber/helix/index.html#/com.bmc.dsm.mcsm/login and logging in as a tenant administrator.
- To open the configuration page, click Settings
. - Select Start Here > Quick Configuration Guide.
In the Step 1: Choose configuration tab, perform the following steps:
From the Choose configuration list, select the Helix integration service.
b. Under Security, select IBM QRadar to ITSM Incident, and click Next.
The Perform configurations tab displays a list of the common configurations, connectors, flows, and connector targets and processes that you need to configure as described in the next tasks.
To map QRadar SIEM vendor data to ITSM or Smart IT
Configuring vendor data includes setting up a vendor organization and defining vendor mappings for the technology provider. Vendor mapping ensures that your vendor is notified about changes to the ITSM fields by sending updates as a comment to the corresponding vendor ticket.
If you have not already done so, to set up the vendor organizations, on the Perform configurations tab, click Manage Vendor Organizations. For instructions, see Performing common preconfiguration tasks.
- To add or update the vendor mapping, on the Perform configurations tab, click Manage Vendor Metadata.
On the Configure Vendor Metadata page, click
to open the Map New Vendor page.
Enter a Description that makes it easy for you to identify the vendor metadata configuration.
Select the Ticketing Technology Provider.
The Ticketing Technology Provider is the application the vendor uses to manage tickets.Vendor Ticketing Technology Provider Amazon AWS JIRA Software JIRA Salesforce Service Cloud Service Cloud CA Agile Central Agile Central ITSM Vendor ITSM JIRA Software Service Desk JIRA Service Desk Microsoft Azure DevOps Azure DevOps Azure Monitor Azure Alerts IBM QRadar QRadar BMC TrueSight Operations Management TrueSight Ops Mgmt for PSR Click Add Mapping.
By default, the Instance URL, Vendor Field Mapping and Display Field Mapping fields are displayed.- Update the Instance URL with the ticketing technology provider server and port details.
To add or delete mapped field values, click Click { } to open the JSON editor, and modify Display Field Mapping.
Display field mapping defines how vendor ticket fields map to the fields on the Smart IT console.
(Optional) If you do not want the ITSM ticket to be automatically resolved when the corresponding ticket is closed by your vendor, clear the ResolveIncident Ticket When Vendor Closes It toggle key
.
By default, BMC Helix Multi-Cloud Broker resolves the ITSM ticket when the corresponding ticket is closed by the vendor.- From the Integration Platform list, select Integration Service.
To configure connectors for integrating ITSM and QRadar SIEM with BMC Helix Multi-Cloud Broker
For each feature you selected, complete the following procedure for the connectors listed on the Configuration Links page.
To navigate to BMC Helix Integration Service, on the Configuration Links page, click Configure connectors in Integration Studio under Required Common Configurations.
You must configure the connectors listed for each feature, in addition to the connectors listed under Required Common Configuration.To enter field values, select a connector, such as ITSM, and click Configuration.
You might need to click the arrow on the ribbon in the lower section of the screen to open the Configuration pane.- To update the configuration defaults, enter the appropriate field values by referring to the list of connectors at the end of this procedure.
- To add or update the user account that is used to access the vendor application, click Accounts.
List of connectors and configuration values for integration with QRadar SIEM
- Configuration
While activating BMC Helix Multi-Cloud Broker, BMC configures the Multi-Cloud connector. Do not modify the default Multi-Cloud connector configuration.
- Account
BMC sets up the account for the Multi-Cloud connector.
Click
to re-authenticate after you have changed the password for your tenant administrator user account in BMC Helix Innovation Studio.
For information about changing the user password, see Creating or modifying People data
.
To configure flow triggers and field mappings between ITSM, BMC Helix Multi-Cloud Broker, and QRadar SIEM
For each feature you selected, complete this procedure for the flows listed on the Configuration Links page.
To navigate to BMC Helix Integration Service, on the Configuration Links page, click Configure flows in Integration Studio under Required Common Configurations.
You need to configure the flows listed for each feature, in addition to the flows listed under Required Common Configuration.
To open the flow template page, on the Catalog tab in Integration Studio, click the flow you want to configure.
- To create a copy of the flow template, click
.
- Select the appropriate accounts for the end-point connectors of the selected flow.
You specify the connector accounts when configuring connectors. - To update the name of the flow that you have copied from the flow template, select My Flow, open the flow that you copied, and update the title.
Specify the trigger Conditions and Field mapping, and click OK.
For more information about trigger conditions and field mappings, see the list of flows at the end of this procedure.- Click My Flows and select the flow that you created from the flow template.
- To verify the target values for the trigger conditions and the field mappings, in the right pane, click Details.
List of flows and configuration values for integration with QRadar SIEM
Important
You can configure one of the following flows based on the incident type you want to create for IBM QRadar offenses:
Create Incident from IBM QRadar Offense—Creates an incident of type Infrastructure Event.
Create Security Incident from IBM QRadar Offense—Creates an incident of type Security. To use this flow, you must have Remedy IT Service Management Suite (Remedy ITSM Suite) and BMC Helix ITSM: Smart IT version 20.02 or later and you must complete the following configurations in Remedy ITSM Suite and Smart IT:
Configuring settings for managing security incidents
in the BMC Helix ITSM: Service Desk documentation.Configuring settings for managing security incidents
in the Smart IT documentation.
To define connector targets for QRadar SIEM integration
BMC preconfigures the out-of-the-box connector targets for all BMC Helix Multi-Cloud Broker features. If you want to update the connector configuration or account information, update the connector target for the feature.
Warning
Do not delete the out-of-the-box connector targets.
- To navigate to BMC Helix Innovation Suite, in the Configuration Links page, click Configure Connector Targets in Innovation Studio under Required Common Configurations.
You need to configure the connector targets listed for each feature on the Configuration Links page, in addition to the ones listed under Required Common Configuration. - Click the connector target you want to configure or click
to configure a new connector target. Enter or update the following values and save the configuration.
Field Instructions Name Enter a unique name for the configuration.
The name is associated with the process that is related to the connector you are configuring.Connector Type Select the connector type from the list of connectors available to you in BMC Helix Integration Service.
Configuration Select a configuration from the list.
For example, if you select qradar as the Connector Type, all the configurations that you have made for qradar are displayed in the Configuration list.
Profile Select a profile. For example, if you select qradar as the Connector Type, all the profiles that you have created for qradar are displayed in the Configuration list.
List of connector targets for integration with QRadar SIEM
When you complete the configuration for all the components, verify that incidents are created in ITSM from QRadar SIEM.
Comments
Log in or register to comment.